In this article I will present you the way I have completed the Stapler machine challenge hosted on Vulnhub. Stapler is particularly interesting because it allows you to perform and obtain a lot of various information through enumeration – one of the best machines for this actually – thanks to @g0tmi1k for this!

Quite a lot of interesting ports are revealed, and we have some interesting data to be written down: a potential user named Tim and a company named Initech.

Having learned from previous experiences that amap tool – while old – could help with more information from fingerprinting the services, I gave it a shot:

Amap proves to be useful, giving us more usernames (Harry, Dave, Pam) that we will try to use later, and other interesting information…like for port 12380 that matched http protocol, but also ssl and ntp (?)… we will check that later.

Now, we will take the information we have about open ports and will try to find our way in…

1.1 Port 21

We connect to FTP service with anonymous account, we also notice the banner that we already knew from amap. On the FTP server we find a file named note with the following content:

1.2 Port 22

Connecting to ssh will reveal a new potential username from the banner:

1.3 Port 80

Seems to be a light HTTP server, no banners, no headers… running nikto against it will reveal two files from a user`s home dir:

Shell

1

2

3

http://172.16.100.63/.bashrc

http://172.16.100.63/.profile

I have tried a more advanced directory and file bruteforce with wfuzz, but no other files were found

1.4 Port 139 – SMB

Listing the shares will give us some more information… two shared folders (kathy and tmp) and two potential new usernames (kathy and fred):

Browsing shares will give us more information and interesting files

1.5 Port 666

Running a netcat against it reveals that there is a binary content, and a string message2.jpg indicates us that it might be a picture…after downloading it we realize that it is not viewable or it is corrupt, or it is something else – an archive:

Finally, opening message2.jpg will reveal new information:

1.6 Port 12380

Opening it in the browser shows us a website… we note the title of the page, which include information about another potential user – Tim:

Looking through the source code we find an interesting message:

And… this is pretty much everything, no other files or directories were found.

Having in mind that amap also matched port 12380 as ssl, we also try to access it over https:

This is kind of strange – having http and https on the same port, I guess the web server was intentionally misconfigured.

Running nikto against the https version will give us some hints to go further:

Going to the frontpage we will identify the path of the created “thumbnail” file and download it:

Of course this is not a picture, but the whole wp-config.php file which will give us the credentials to the database:

Having so many usernames collected from various sources, we also started a brute-force attack on wordpress administrative interface and got some accounts, but none of them is administrator of the blog:

Having a username (root) and password on the database server we think of another plan….

Connecting to mysql works – so considering that we are root and have all privileges, we will create an web shell through mysql:

We first tried to run netcat on the vulnerable machine, to get the reverse shell, but it seems that it does not allow to run commands with -e flag. So, we have another alternative in mind, using a python code we could get our reverse connection.